This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

In addition to the technical issues of the conference programme, our website provides you with tourist information on the city of Madrid, unique for its cultural and historical richness, lovely surroundings and other nice places to visit around the city.

In this conference we will have two acclaimed keynote speakers. The first one is Bruce Schneier, an internationally renowned security technologist and author. The second is Inspector Jorge Martín from the High Tech Crime Unit of the Spanish National Police.

Panel DiscussionTopic: Web Application Security: What should Governments do in 2010?Location: Main Auditorium

16:45 - 17:00

IBWAS'09 ClosingLocation: Main Auditorium

Papers

Speakers

Keynote Speakers

Bruce Schneier

The Future of the Security Industry
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, Secrets and Lies, was called by Fortune "[a] jewel box of little surprises you can actually use." Beyond Fear tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security. His current book, Schneier on Security, offers insight into everything from the risk of identity theft (vastly overrated) to the long-range security threat of unchecked presidential power and the surprisingly simple way to tamper-proof elections.

Regularly quoted in the media, he has testified on security before the United States Congress on several occasions and has written articles and op eds for many major publications, including The New York Times, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Sydney Morning Herald, The Boston Globe, The San Francisco Chronicle, and The Washington Post.

Schneier also publishes a free monthly newsletter, Crypto-Gram, with over 150,000 readers. In its ten years of regular publication, Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news.

Schneier is the Chief Security Technology Officer of BT.

Jorge Martín

Jorge Martín is an inspector of the Spanish National Police, and currently the Head of the Logical Security Group from the High-Tech Crime Unit in the Comisaria General de Policía Judicial.

He his a Computer Systems Technical Engineer and since five years now dedicates himself to police investigation in the technological area, focusing his activity on crimes related to intrusions, different types of attacks, malware creation and dissemination and other related issues. He has also a large experience on the filed of computer forensics.

He has participated on different courses and conferences, both in Spain and abroad. Regularly participates on training initiatives with other law enforcement forces on different countries, several Interpol projects about technological investigation techniques and on different European Union studies on the obtaining and manipulation of digital evidences.

Panel Speakers

Justin Clarke

Title: SQL Injection - how far does the rabbit hole go?

Abstract: SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world, and well publicised data breaches with SQL Injection as a component, it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea. This talk explores the deeper, darker areas of SQL Injection, hybrid attacks, SQL Injection worms, and exploiting database functionality. Explore what kinds of things we can expect in future.

Bio: Justin Clarke is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.
Justin is the lead author and technical editor of "SQL Injection Attacks and Defense" (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O¹Reilly 2005), and a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O'Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, BruCON, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.

Dinis Cruz

Abstract: In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.

Bio: Dinis Cruz is the Chief OWASP Evangelist and a Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development.
Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.
Dinis is the current [Owasp .Net Project] and [OWASP Autumn of Code] project's leader and the main developer of several of OWASP .Net tools ([SAM'SHE], [ANBS], [SiteGenerator], Owasp Report Generator, [Asp.Net Reflector]).
Dinis is a active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG . His latest course is the two day training course [Advanced Asp.Net Exploits and Countermeasures, which was delivered at the Black Hat 2006 conference and will be presented on the fortcomming [OWASP AppSec Conference] in Seattle.

Luis Corrons

Title:

Abstract: The growth and complexity of the underground cybercrime economy has grown significantly over the past couple of years due to a variety of factors including the rise of social media tools, the global economic slowdown, and an increase in the total number of internet users. For the past 3 years, PandaLabs has monitored the ever-evolving cybercrime economy to discover its tactics, tools, participants, motivations and victims to understand the full extent of criminal activities and ultimately bring an end to the offenses. In October of 2008, PandaLabs published findings from a comprehensive study on the rogueware economy which concluded that the cybercriminals behind fake antivirus software applications were generating upwards of $15 million per month. In July of 2009, it released a follow-on study that proved monthly earnings had more than doubled to approximately $34 million through rougeware attacks distributed via Facebook, MySpace, Twitter, Digg and targeted Blackhat SEO. This session will reveal the latest results from PandaLabs’ ongoing study of the cybercrime economy by illustrating the latest malware strategies used by criminals, examining the changes in their attack strategies over time. The goal of this presentation is to raise the awareness of this growing underground economy.

Bio: Luis Corrons has been working for Panda Security since 1999. He started in the technical support department, helping home and corporative users with virus incidents. A year later, he joined the international technical support team assisting Panda's technical support belonging to their partners distributed over 50 countries around the world. In 2002, he became PandaLabs' director as well as malware alerts coordinator in worldwide infection situations, dealing with worm such as Klez, SQLSlammer, Sobig, Blaster. Sasser, Mydoom, etc. During this time, he has coordinated several automated projects related with malware, such as the automatic analisys and response system, and the malware automatic information system. He's a speaker in several security conferences such as RSA, Virus Bulletin, SecurityBSides, RAID, etc.

Marc Chisinevski

Title: The OWASP Logging Project

Abstract: The goals of the Logging Project are:

To provide tools for software developers in order to help them define and provide meaningful logs

The talk will explore these areas, as well as provide details on existing tools and on related OWASP projects. Research directions for the future will also be discussed. A teaser for the presentation (with sound) can be found here: http://animoto.com/play/zel3bnvPCde7tcqBG3e9Cw

Simon Roses

Title: Microsoft Infosec Team: Security Tools Roadmap

Abstract: The Microsoft IT’s Information Security (InfoSec) group is responsible for information security risk management at Microsoft. We concentrate on the data protection of Microsoft assets, business and enterprise. Our mission is to enable secure and reliable business for Microsoft and its customers. We are an experienced group of IT professionals including architects, developers, program managers and managers.
This talk will present different technologies developed by Infosec to protect Microsoft and released for free, such as CAT.NET, SPIDER, SDR, TAM and SRE and how they fit into SDL (Security Development Lifecycle).

Bio: Simon Roses Femerling works at ACE Services from Microsoft providing security services across Europe. Former PriceWaterhouseCoopers and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories as OWASP Pantera. Mr Roses is natural from Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts and a frequent speaker at security industry events including RSA, OWASP, DeepSec and Microsoft Security Technets.

Dave Harper

Title: Empirical Software Security Assurance

Abstract: By now everyone knows that security must be built in to software; it cannot be bolted on. For more than a decade, scientists, visionaries, and pundits have put forth a multitude of techniques and methodologies for building secure software, but there has been little to recommend one approach over another or to define the boundary between ideas that merely look good on paper and ideas that actually get results. The alchemists and wizards have put on a good show, but it's time to look at the real empirical evidence.
This talk examines software security assurance as it is practiced today. We will discuss popular methodologies and then, based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust Clearing Corporation (DTCC), we present a set of benchmarks for developing and growing an enterprise-wide software security initiative, including but not limited to integration into the software development lifecycle (SDLC). While all initiatives are unique, we find that the leaders share a tremendous amount of common ground and wrestle with many of the same problems. Their lessons can be applied in order to build a new effort from scratch or to expand the reach of existing security capabilities.

Bio: David Harper is the EMEA Services Director for Foritfy Software, the market leader in the fast-growing area of Software Security Assurance (SSA). SSA gives organizations the power to ensure that their entire software portfolio -- whether develop internally or acquired through 3rd parties -- is secure and free of vulnerabilities that can be exploited by cyber attackers to steal valuable data and cause mayhem.
David is responsible for helping Fortify’s European Customers establish Software Security Assurance programs to systematically reduce application risk. David has extensive experience of defining and implementing Secure Development Life-cycles, whether in response to a security breach or as part of a PCI or other compliance initiative. David has also worked as security consultant on large e-commerce web-sites.
Prior to joining Fortify, David held consultancy positions at Macrovision and Entrust Technologies. David has over 20 years experience in application development and security and is a graduate of Bristol University.

Raul Siles

Abstract: The Samurai Web Testing Framework (WTF) is an open-source LiveCD focused on web application security testing. It includes an extensive collection of pre-installed and pre-configured top penetration testing and security analysis tools, becoming the perfect environment for assessing and exploiting web applications. The tools categorization guides the analyst through the web-app penetration testing methodology, from reconnaissance, to mapping, discovery and exploitation.
This talk describes the actively developed Samurai WTF distribution, its tool set, including the recently created Samurai WTF Firefox add-ons collection (to convert the browser in the ultimate pentesting tool), the advanced features provided by the integration of multiple attack tools, plus the new tool update capabilities.

Bio: Raul Siles is a founder and senior security analyst with Taddong. His more than 10 years expertise performing advanced security services and solutions in various worldwide industries include security architecture design and reviews, penetration tests, incident handling, forensic analysis, security assessments, and information security research in new technologies, such as, web applications, wireless, honeynets, virtualization, and VoIP. Raul is one of the few individuals who have earned the GIAC Security Expert (GSE) designation. He is a SANS Institute author and instructor of penetration testing courses, a regular speaker at security conferences, author of security books and articles, and contributes to research and open-source projects. He loves security challenges and is member of international organizations, such as the Honeynet Project, or handler of the Internet Storm Center (ISC).

Miguel Almeida

Title: Authentication: choosing a method that fits

Abstract: Through the last five years, we, in the security field, have been witnessing an increase in the number of attacks to (web) application user's credentials, and the refinement and sophistication these attacks have been gaining. There are currently several methods and mechanisms to increase the strength of the authentication process for web applications. To improve the user authentication process, but also to improve the transaction authentication. As an example, one can think of adding one-time password tokens, or digital certificates, EMV cards, or even SMS one-time codes. However, none of these methods comes for free, nor do they provide perfect security. Also, one must consider usability penalties, mobility constraints, and, of course, the direct costs of the gadgets. Moreover, there's evidence that not all kinds of attacks can be stopped by even the most sophisticated of these methods. So, where do we stand? What should we choose? What kind of gadgets should we use for our business critical app, how much will they increase the costs and reduce the risk, and, last but not least, what kind of attacks we’ll be unable to stop anyway? This presentation will focus on ways to figure out how to evaluate the pros and cons of adding these improvements, given the current threats.

Bio: Miguel Almeida is an independent computer and network security professional. He has been testing, reviewing and advising on information security for the last ten years. His work has been focused on financial institutions and it has included engagements where, for a broad view of information security, the technical side as well as the organizational and procedural sides have been analyzed.
Before becoming an independent consultant, Miguel was working with Deloitte and KPMG, where he was responsible for the information security practices in these companies. He was Senior Manager at Deloitte and, before, he was a Manager at KPMG.
His academic studies include Computer Engineering at Instituto Superior Técnico and he is a Microsoft Certified Professional [on Windows security].

Daniele Catteddu

Abstract: The presentation “Cloud Computing: Benefits, risks and recommendations for information security” will cover some the most relevant information security implications of cloud computing from the technical, policy and legal perspective.
Information security benefit and top risks will be outlined and most importantly, concrete recommendations for how to address the risks and maximise the benefits for users will be given.

Bio: Daniele Catteddu, CISM, CISA, is an risk management expert at ENISA where is following various activities in the context of the Emerging and Future Risks programme. Recently he has also contribute in the development and testing of information security practices for SMEs.
Before joining ENISA, Daniele was working as Information Security consultant mainly in the banking and financial sector.
He is a speaker in various Information Security conferences and editor of the recently published report: Cloud Computing: Benefits, risks and recommendations for information security.

Kuai Hinojosa

Title: Deploying Secure Web Applications with OWASP Resources

Abstract: Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on.

Bio: Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.

Fabio E Cerullo

Title: OWASP TOP 10 2009

Abstract: The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. The OWASP Top 10 was initially released in 2003 and minor updates were made in 2004, 2007, and this 2010 release. We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives can start thinking about how to manage the risk that software applications create in their enterprise.

Bio: Fabio E Cerullo is currently working as an IT Security Specialist of AIB Bank in Dublin, Ireland. He has obtained the Certified Information Systems Security Professional (CISSP) certification in December 2006 which he holds in good standing. Prior to joining AIB, he worked as a Security Engineer at Symantec Security Response European Headquarters. Security Response provides customers with world-class analysis and protection from viruses, blended threats, security risks and vulnerabilities. While at Symantec, he also collaborated developing traning materials and workshops for parents and teachers around Internet Safety. Before moving to Ireland, he worked in different software development and training activities with an emphasis in secure software development back in his native Argentina. He holds a Msc in Information Technology from the Catholic University of Buenos Aires, Argentina.

Paulo Querido

Title: What Security in a Liquid Web?

Abstract: What kind of security people ask -- and need -- from the distinct service providers in an ambience of liquidity, where every bit of information is available, and shared, all over the web in real time, all the time. More than issues, the cloud, the personal data, the portability and the panoplia of devices present new challenges to the developer.

Bio: Paulo Querido is a journalist and author long time focused in technology and Internet, and also a web entrepreneur and new media consultant. He lives in Portugal, but writes - and codes - everywhere there is connectivity. As a journalist, he worked for the most prestigious neswspapers in his country -- two decades for weekly Expresso and ocasionally for daily Público -- and he has published 3 books as an author, and 3 other as co-author, all internet-related. He has held several presentations, as well as TV, radio and printed interviews and appearances in the last years, about social media and mainstream media. Ask Google about him: http://s3g.me/pq

Martin Knobloch

Title: Thread Risk Modelling

Abstract: How secure must a application be? To take the appropriate measures we have to identify the risks first and think about the measures later. Threat risk modeling is an essential process for secure web application development. It allows organizations to determine the correct controls and to produce effective countermeasures within budget. This presentation is about how to do a Tread Risk Modelling. What is needed to start and where to go from there!

Bio: Martin Knobloch employed as Software Architect at Sogeti Nederland B.V. He is founder and chair of the taskforce Proactive Security Strategy (PaSS). The taskforce focus on application security of the whole application lifecycle. PaSS covers all expertise involved in application development, from Information Analyst's, over Architecture, Design, Developers, down to testers and application administrators .
In his daily work, Martin is responsible for education in application security matters, advise and implementation of application security measures for customers.
Martin is member of the PVIB.nl and OWASP.org. At OWASP he is member of the Dutch Chapter Board. Next to this he contributes to several projects as the OWASP Boot Camp, OWASP Speaker Project and is project lead of the OWASP Education Project. Furthermore, Martin is member of the OWASP Global Education Committee.

Javier Fernández-Sanguino

Title: Protection of applications at the enterprise in the real world: from audits to controls

Abstract: Securing application development in the enterprise world, where applications range from small in-house applications developed by a small department to large applications developed through an outsourcing company in a project spanning several years. In addition those applications that initially where not considered critical, suddenly become part of a critical process or those that were going to be used in a small and limited internal environment suddenly get promoted and published as a new service on the Internet.
To get a better feeling of what works and what does not work in the harsh world outside, this talk will present examples of do's and dont's coming from real world projects attempting to protect security applications in different stages: from the introduction of technical measures to prevent abuse of Internet-facing applications to source-code driven application security testing.

Bio: Telecommunication Engineer by ETSIT-UPM, he is the sub-director of the Grupo Gesfor Sub-direction of Logical Security and a university Rey Juan Carlos associated professor. He has more than 10 years of experience in the TIC security sector where he has worked as consultant and security project manager, managing and participating in several security projects for the banking industry, industrial, Telco sectors and on several public administration offices.
He is also the author of multiple written press TIC security articles (including the SIC, Seguridad, informática y Comunicaciones magazine) and a member of several open-source development groups such as Debian, and international research and standardization groups in the security field: OWASP, OVAL and the Honeynet project. He also leads and participates in the development of security tools, such as: Tiger, Nessus and Bastille.